blaxel-sdk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to retrieve and use tool definitions from sandbox-hosted MCP endpoints (e.g., bl_tools(["sandbox/my-sandbox"]) and the sandbox MCP at https://<SANDBOX_URL>/mcp) and to create/access public preview URLs, which are user-deployable, third-party content that the agent reads and that can change tool availability and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The Dockerfile explicitly copies and relies on the sandbox binary hosted at ghcr.io (ghcr.io/blaxel-ai/sandbox:latest), which is fetched during template build/deploy and then executed by the entrypoint (/usr/local/bin/sandbox-api), so remote content is retrieved at runtime/build and directly executes code.